Log In

Australia's biggest data breach sees 1.3m records leaked

Medical data exposed.

More than one million personal and medical records of Australian citizens donating blood to the Red Cross Blood Service have been exposed online in the country’s biggest and most damaging data breach to date.

A 1.74 GB file containing 1.28 million donor records going back to 2010, published to a publicly-facing website, was discovered by an anonymous source and sent to security expert and operator of haveibeenpwned.com Troy Hunt early on Tuesday morning.

The database was uncovered through a scan of IP address ranges configured to search for publicly exposed web servers that returned directory listings containing .sql files.

The contents of the 'mysqldump' database backup contains everything from personal details (name, gender, physical and email address, phone number, date of birth and occasionally blood type and country of birth) to sensitive medical information, like whether someone has engaged in at-risk sexual behaviour in the last year.

The database collected information submitted when an individual books an appointment - either on paper or online - to donate blood. The process requires donors to enter their personal details and fill out an eligibility questionnaire.

It does not contain data on blood reports or analyses, or responses to the full donor questionnaire all blood bank visitors are required to fill out at the time of their donation.

The database was published on the webserver of a Red Cross Blood Service technology partner that maintains the service's website, not the organisation’s www.donateblood.com.au site where online bookings are made.

It is also the first time sensitive medical details of Australian citizens have been leaked online at scale.

However, Hunt said he did not want the breach to discourage people from donating blood and potentially impacting Australia’s crucial blood supply.

“The bigger picture here is that this is lifesaving stuff,” he told iTnews.

“I’ve registered an appointment for Monday through the site and entered all my legitimate information to try and encourage people to donate.”

Privacy Commissioner Timothy Pilgrim has said he will investigate the breach and make his findings public.

"I welcome [the Red Cross'] prompt actions to prevent any further disclosure of this highly sensitive personal information," he said in a statement.

"My office encourages voluntary notification of data breaches, particularly where there is a risk to an individual as a result of a breach. This is good privacy practice as it gives individuals the opportunity to take proactive steps to protect their personal information and also helps to protect an organisation’s reputation by displaying transparency."

All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.Your use of this website
constitutes acceptance of nextmedia's Privacy Policy and
Terms & Conditions.